Hackers breached U.S. LNG producers in mid-February and on the eve of Russia’s invasion of Ukraine

Over 100 workers were hacked as hackers successfully gained access to computers belonging to current and former employees at about two dozen major US natural gas suppliers and exporters in mid-February and on the eve of Russia’s invasion of Ukraine, Bloomberg reported.

The target companies includes Chevron Corp., Cheniere Energy Inc. and Kinder Morgan Inc., according to research shared exclusively with Bloomberg News, citing Gene Yoo, CEO of Los Angeles-based Resecurity Inc., which discovered the operation.

Bloomberg added that the attacks focused on companies involved with the production of liquefied natural gas (LNG) – “and they were the first stage in an effort to infiltrate an increasingly critical sector of the energy industry,” the report noted.

Some of the files Resecurity shared with Bloomberg provids a rare glimpse into the live hacking operation. Per Boomberg, the files show that during the two-week blitz in February, the attackers were able to gain access to more than 100 computers belonging to current and former employees of 21 major energy companies. Bloomberg said:

“Resecurity’s investigation began last month when the firm’s researchers spotted a small number of hackers, including one linked to a wave of attacks in 2018 against European organizations that Microsoft Corp. attributed to Strontium, the company’s nickname for a hacking group associated with Russia’s GRU military intelligence service.”

Yoo told Bloomberg that, in some cases, the hackers compromised the target machines themselves, and in others they paid to get access to specific computers that were already infected by other hackers, offering as much as $15,000 per computer.

Yoo said the motive of the operation isn’t known at this time, but the timing coincides with broader changes in the energy industry that have been accelerated by Russia’s war. Yoo told Bloomberg that he believed the attack was carried out by state-sponsored hackers, but declined to speculate further.

It is not uncommon for hackers to use breached computers as a “pre-positioning,” or launching pad into protected corporate networks.

Yoo also cautioned that it’s unclear if the attacks are directly related to the invasion of Ukraine, but the firm said the hacks began about seven days before Russian invasion ok Ukraine, after U.S. officials had urged critical infrastructure operators to “adopt a heightened state of awareness” for Russian state-sponsored attacks. Yoo added, “Recent tensions around Nord Stream 2, global market changes, as well as conflict in Ukraine are obvious catalysts.”